| 知乎专栏 | 多维度架构 |
目录
[root@netkiller ~]# docker run -d --name shadowsocks \
-p 8388:8388 \
-e PASSWORD=netkiller \
shadowsocks/shadowsocks-libev
[root@netkiller ~]# docker exec -it shadowsocks ps
PID USER TIME COMMAND
1 nobody 0:00 ss-server -s 0.0.0.0 -p 8388 -k netkiller -m aes-256-gcm -t 300 -d 8.8.8.8,8.8.4.4 -u
19 nobody 0:00 ps
yum install epel-release -y
pip install shadowsocks
cat > /etc/sysctl.d/local.conf << EOF
# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096
# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
# for high-latency network
net.ipv4.tcp_congestion_control = hybla
# for low-latency network, use cubic instead
# net.ipv4.tcp_congestion_control = cubic
EOF
mkdir -p /etc/shadowsocks/
cat > /etc/shadowsocks/ssserver.json << EOF
{
"server": "0.0.0.0",
"server_port": 8399,
"local_address": "127.0.0.1",
"local_port": 1080,
"password": "netkiller",
"timeout": 300,
"method": "aes-256-cfb",
"fast_open": false
}
EOF
# 启动
ssserver -c /etc/shadowsocks/ssserver.json -d start
wget -N --no-check-certificate https://raw.githubusercontent.com/wn789/serverspeeder/master/serverspeeder.sh
bash serverspeeder.sh
service serverSpeeder start
service serverSpeeder start #启动 service serverSpeeder stop #停止 service serverSpeeder reload #重新加载配置 service serverSpeeder restart #重启 service serverSpeeder status #状态 service serverSpeeder stats #统计 service serverSpeeder renewLic #更新许可文件 service serverSpeeder update #更新 chattr -i /serverspeeder/etc/apx* && /serverspeeder/bin/serverSpeeder.sh uninstall -f #卸载
[root@iZj6c39y62jl5b1wmfv6u8Z ~]# ssserver --help usage: ssserver [OPTION]... A fast tunnel proxy that helps you bypass firewalls. You can supply configurations via either config file or command line arguments. Proxy options: -c CONFIG path to config file -s SERVER_ADDR server address, default: 0.0.0.0 -p SERVER_PORT server port, default: 8388 -k PASSWORD password -m METHOD encryption method, default: aes-256-cfb -t TIMEOUT timeout in seconds, default: 300 --fast-open use TCP_FASTOPEN, requires Linux 3.7+ --workers WORKERS number of workers, available on Unix/Linux --forbidden-ip IPLIST comma seperated IP list forbidden to connect --manager-address ADDR optional server manager UDP address, see wiki General options: -h, --help show this help message and exit -d start/stop/restart daemon mode --pid-file PID_FILE pid file for daemon mode --log-file LOG_FILE log file for daemon mode --user USER username to run as -v, -vv verbose mode -q, -qq quiet mode, only show warnings/errors --version show version information Online help: <https://github.com/shadowsocks/shadowsocks>
不适用配置文件,命令行启动方法。
ssserver -s ::0 -p 448 -k passw0rd -m aes-256-cfb --user nobody --workers 2 -d start
https://github.com/shadowsocks/shadowsocks-windows/releases
root@netkiller:~# cat /etc/shadowsocks.json
{
"server":"ss.netkiller.cn",
"server_port":3389,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"netkiller",
"timeout":600,
"method":"aes-256-cfb"
}
sslocal -c /etc/shadowsocks.json -d start
install.
$ sudo apt-get install dante-server
configure.
$ sudo vim /etc/danted.conf
$ cat /etc/danted.conf | sed s/^#.*//g | sed -r /^$/d
logoutput: /tmp/socks.log
internal: eth0 port = 1080
external: 172.16.0.1
method: username none #rfc931
clientmethod: none
user.privileged: proxy
user.notprivileged: nobody
user.libwrap: nobody
client pass {
from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0
log: connect disconnect error
}
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
protocol: tcp udp
}
Once the config is complete. Start/Restart dante socks server:
$ sudo /etc/init.d/danted start
check to see if server is listening on 1080
$ netstat -n -a |grep 1080 tcp 0 0 172.16.0.1:1080 0.0.0.0:* LISTEN tcp 0 0 172.16.0.1:1080 10.8.0.6:1485 TIME_WAIT
Make sure the firewall is open.
$ grep socks /etc/services socks 1080/tcp # socks proxy server socks 1080/udp $ sudo ufw allow socks Rule added
SSH Tunnel
internal: 127.0.0.1 port = 1080 ssh -L 1080:localhost:1080 username@yourserver or ssh user@server.com -D 1080 # -D is for Dynamic Port Forwarding.
注意:hpsockd 不支持 socks5
$ sudo apt-get install hpsockd $ sudo cp /usr/share/doc/hpsockd/examples/hpsockd.conf /etc/hpsockd.conf $ sudo vim /etc/hpsockd.conf
@@MYNET@@/@@NETSIZE@@ 替换为 网络与子网掩码 如:172.16.0.0/24
$ cat /etc/hpsockd.conf
daemon {
name "sockd";
listen-address { 0.0.0.0; };
directory "/var/cache/hpsockd";
negotiate-file "negot_file"; # must be specified
# inetdsec-file "/var/adm/inetd.sec"; # default is no inetd.sec
# listen {1,252};
# client {1,200};
# pre-fork 1;
# service "socks";
port 1080;
# poll 1m;
# user -2;
user "nobody";
# dns-helper 1;
# flags { };
};
logging {
# facility "daemon";
# level 2;
dump-prefix "sockd.dump"; # if not specified, you get no dumps
usage-log "usage.log"; # if not specified, you get no logging
};
env {
PING="/bin/ping %z";
TRACEROUTE="/usr/sbin/traceroute %z";
};
default {
# timeout 2h;
# setup-timeout 15m;
# bufsize 32768;
};
route {
{ default host }; # must have at least one route
};
method-list {
{ number 0; name "noAuth"; internal; flags 0; };
{ number 2; name "userPass"; internal; flags 0; };
{ number 254; name "v4"; internal; flags 0; };
};
client-method {
{ src { 10.10.0.0/24; }; method { "userPass"; "v4"; "noAuth"; }; };
};
client {
permit traceroute { # Let net 10.10.0.0 traceroute even net 10.10.0.0.
src { 10.10.0.0/24; };
};
deny { # block X traffic
port { 6000-6099; };
};
deny { # Nothing bound for net 10.10.0.0, or private
dest { 10.10.0.0/24; 127/8; 10/8; 172.16/12; 192.168/16; };
};
permit { # give ftp control sessions longer
src { 10.10.0.0/24; };
port { "ftp"; };
timeout 1d;
};
permit { # Let net 10.10.0.0 out
src { 10.10.0.0/24; };
timeout 1h;
};
deny { }; # nuke everyone else (default action)
};